{ "id": "d2d9a370-0938-4c2d-a7be-28f991eab685", "created_at": "2026-04-06T00:10:21.350464Z", "updated_at": "2026-04-10T13:11:43.0935Z", "deleted_at": null, "sha1_hash": "e7e6a307da38b5f94868a82a66042be33992c7f5", "title": "APT review: what the world’s threat actors got up to in 2019", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82120, "plain_text": "APT review: what the world’s threat actors got up to in 2019\r\nBy David Emm\r\nPublished: 2019-12-04 · Archived: 2026-04-05 14:18:22 UTC\r\nWhat were the most interesting developments in terms of APT activity during the year and what can we learn from\r\nthem?\r\nThis is not an easy question to answer, because researchers have only partial visibility and it´s impossible to fully\r\nunderstand the motivation for some attacks or the developments behind them. However, let´s try to approach the\r\nproblem from different angles in order to get a better understanding of what happened with the benefit of\r\nhindsight and perspective.\r\nCompromising supply chains\r\nTargeting supply chains has proved very successful for attackers in recent years – high-profile examples include\r\nShadowPad, ExPetr and the backdooring of CCleaner. In our threat predictions for 2019, we flagged this as a\r\nlikely continuing attack vector. We didn’t have to wait very long to see this prediction come true.\r\nIn January, we discovered a sophisticated supply-chain attack involving a popular consumer hardware vendor, the\r\nmechanism used to deliver BIOS, UEFI and software updates to vendor’s laptops and desktops. The attackers\r\nbehind Operation ShadowHammer added a backdoor to the utility and then distributed it to users through official\r\nchannels. The goal of the attack was to target with precision an unknown pool of users, identified by their network\r\nadapter MAC addresses. The attackers hardcoded a list of MAC addresses into the Trojanized samples,\r\nrepresenting the true targets of this massive operation. We were able to extract over 600 unique MAC addresses\r\nfrom more than 200 samples discovered in this attack, although it’s possible that other samples exist that target\r\ndifferent MAC addresses. You can read our reports on ShadowHammer here and here.\r\nDisinformation\r\nQ3 was interesting for APT developments in the Middle East, especially considering the multiple leaks of alleged\r\nIranian activity that were published within just a few weeks of each other. Even more interesting is the possibility\r\nthat one of the leaks may have been part of a disinformation campaign carried out with the help of the\r\nSofacy/Hades actor.\r\nIn March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter\r\nusing the hashtag #apt34. They shared several files via Telegram that supposedly belonged to the OilRig threat\r\nactor. These included logins and passwords of several alleged hacking victims, tools, details of infrastructure\r\npotentially related to different intrusions, the résumés of the alleged attackers and a list of web shells – apparently\r\nrelating to the period 2014-18. The targeting and TTPs are consistent with the OilRig threat actor, but it was\r\nimpossible to confirm the origins of the tools included in the dump. If the data in the dump is accurate, it would\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 1 of 9\n\nalso show the global reach of the OilRig group, which most researchers had thought operates primarily in the\r\nMiddle East.\r\nOn April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The\r\npurpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater\r\nAPT group, “along with information about their mother and spouse and etc.” for free. In addition to this free\r\ninformation, the Bl4ck_B0X actor(s) also hinted that they would put up for sale “highly confidential” information\r\nrelated to MuddyWater. On April 27, three screenshots were posted in the GreenLeakers Telegram channel\r\ncontaining alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and\r\nits status was changed to private. This was before Bl4ck_B0X had the chance to publish the promised information\r\non the MuddyWater group. The reason for the closure is still unclear.\r\nFinally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA\r\ninstitute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups.\r\nInterestingly, this leak differed from the others by employing a website that allowed anyone to browse the leaked\r\ndocuments. It also relied on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities.\r\nThe Hidden Reality website contains internal documents, chat messages and other data related to the RANA\r\ninstitute’s CNO (computer network operations) capabilities, as well as information about victims. Previous leaks\r\nhad focused more on tools, source code and individual actor profiles.\r\nClose analysis of the materials, the infrastructure and the dedicated website used by the leakers provided clues that\r\nlead us to believe that Sofacy/Hades may be connected to these leaks.\r\nLost in Translation and Dark Universe\r\nThe well-known Shadow Brokers leak, Lost in Translation, included an interesting Python script – sigs.py – that\r\ncontained lots of functions to check if a system had already been compromised by another threat actor. Each check\r\nis implemented as a function that looks for a unique signature in the system – for example, a file with a unique\r\nname or registry path. Although some checks are empty, sigs.py lists 44 entries, many of them related to unknown\r\nAPTs that have not yet been publicly described.\r\nIn 2019, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We\r\nassess with medium confidence that DarkUniverse is connected with the ItaDuke set of activities due to unique\r\ncode overlaps.\r\nThe main component is a rather simple DLL with only one exported function that implements persistence,\r\nmalware integrity, communication with the C2 and control over other modules. We found about 20 victims in\r\nWestern Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations\r\nand telecommunications companies.\r\nMobile attacks\r\nMobile implants are now a standard part of the toolset of many APT groups; and we have seen ample evidence of\r\nthis during 2019.\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 2 of 9\n\nIn May, the FT reported that hackers had exploited a zero-day vulnerability in WhatsApp, enabling them to\r\neavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows\r\neven further surveillance. To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp.\r\nThis specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the\r\napplication and execute arbitrary code in it. The hackers apparently used this, not only to snoop on people’s chats\r\nand calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to\r\ninstall applications on the device. WhatsApp quickly released a patch for the exploit – and that seemed to be that.\r\nHowever, in October, the company filed a lawsuit accusing Israel-based NSO Group of having created the exploit.\r\nWhatsApp claims that the technology sold by NSO was used to target the mobile phones of more than 1,400 of its\r\ncustomers in 20 different countries, including human rights activists, journalists and others. NSO denies the\r\nallegations.\r\nIn July, we published a private report about the latest versions of FinSpy for Android and iOS, developed in mid-2018. The developers of FinSpy sell the software to government and law enforcement organizations all over the\r\nworld, who use it to collect a variety of private user information on various platforms. The mobile implants are\r\nsimilar for iOS and Android. They are capable of collecting personal information such as contacts, messages,\r\nemails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular\r\nmessengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing\r\nknown vulnerabilities. It seems that the iOS solution does not provide infection exploits for its customers, but is\r\nfine-tuned to clean traces of publicly available jailbreaking tools: this suggests that physical access to the victim’s\r\ndevice is required in cases where devices are not already jailbroken. The latest version includes multiple features\r\nthat we have not observed before. During our recent research, we detected up-to-date versions of these implants in\r\nthe wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims\r\ncould be much higher.\r\nIn August, Google’s Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the\r\nwild and used in five exploitation chains to escalate privileges by an unknown threat actor. According to Google,\r\nthe attackers used a number of ‘water-holed’ websites to deliver the exploits – possibly from as long as three years\r\nago. While the blog contained no details about the compromised sites, or whether they were still active, Google\r\nclaimed the websites had received “thousands of visitors per week”. The lack of victim discrimination points to a\r\nrelatively non-targeted attack. However, the not-so-high estimate of the number of visitors to the water-holed sites,\r\nand the capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for\r\nmore than two years, shows a high level of resources and dedication.\r\nIn September, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more\r\nthan one for iOS – the company is now willing to pay $2.5 million for a zero-click Android zero-day with\r\npersistence. This is a significant increase on the company’s previous payout ceiling of $2 million for remote iOS\r\njailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day,\r\nsomeone found a high-severity zero-day in the v412 (Video4Linux) driver, the Android media driver. This\r\nvulnerability, which could enable privilege escalation, was not included in Google’s September security update. A\r\nfew days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony\r\nsmartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 3 of 9\n\ndevice using an SMS message. Whatever the relative value of Android and iOS exploits, it’s clear that mobile\r\nexploits are a valuable commodity.\r\nWhile investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which\r\nwe attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an\r\ninfected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable\r\nWordPress installations.\r\nThis year, Turla also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a\r\nnew.NET file that the threat actor is using to distribute and drop KopiLuwak through infected installation\r\npackages for legitimate software programs such as VPNs. The malware is almost completely ‘fileless’: the final\r\nstage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the\r\nmalware to access when ready. The group uses two KopiLuwak analogues – the.NET RocketMan Trojan and the\r\nPowerShell MiamiBeach Trojan – for cyber-espionage; we believe Turla deploys these versions where their\r\ntargets are protected with security software capable of detecting KopiLuwak.\r\nWe also observed a new COMpfun-related targeted campaign using new malware. The Kaspersky Threat\r\nAttribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the\r\nattackers use the original COMpfun as a downloader in one of the spreading mechanisms. We named the newly\r\nidentified modules Reductor after a.pdb path left in some of the samples. We believe the same COMPfun authors,\r\nwho we tentatively associate with Turla based on victimology, developed this malware. One striking aspect of\r\nReductor is that the threat actors put a lot of effort into manipulating installed digital root certificates and marking\r\noutbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the\r\ntarget host and allows operators to add additional ones remotely through a named pipe. The authors don’t touch\r\nthe network packets at all. Instead, they analyze Firefox source and Chrome binary code to patch the\r\ncorresponding system pseudo-random number generation (PRNG) functions in the process’s memory. Browsers\r\nuse PRNG to generate the ‘client random’ sequence during the very beginning of the TLS handshake. Reductor\r\nadds the victims’ unique encrypted hardware- and software-based identifiers to this ‘client random’ field.\r\nZebrocy has continued adding new tools to its arsenal using various kinds of programming languages. We found\r\nZebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs\r\norganization. This module primarily provides for the stealthy collection of network proxy and communications\r\ndebug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a\r\nprogramming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript\r\nor C targets. Both the Nim downloaders that the group mainly uses for spear phishing, and other Nim backdoor\r\ncode, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and\r\nDelphi modules. In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe,\r\nattempting to gain access to email communications, credentials and sensitive documents. This campaign is similar\r\nto past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless\r\ndocuments alongside executables with altered icons and identical filenames. The group also makes use of remote\r\nWord templates pulling contents from the legitimate Dropbox file-sharing site. In this campaign, Zebrocy targeted\r\ndefense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 4 of 9\n\nIn June, we came across an unusual set of samples used to target diplomatic, government and military\r\norganizations in countries in South and Southeast Asia that we attribute to Platinum – one of the most\r\ntechnologically advanced APT actors. In this campaign, the attackers used an elaborate, previously unseen\r\nsteganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT\r\nand malware developers would use steganography, and this campaign provides proof. Interestingly, the attackers\r\ndecided to implement the utilities they need as one huge set – an example of the framework-based architecture that\r\nis becoming more and more popular. Later in the year, we discovered Platinum using a new backdoor, which we\r\ncall Titanium, in a new campaign. Interestingly, we found certain similarities between this malware and a toolset\r\nthat we called ProjectC. We detected ProjectC in 2016 being used as a toolset for lateral movement and we\r\nattributed it with low confidence to CloudComputating. Our new findings lead us to believe that the\r\nCloudComputating set of activities can be attributed to Platinum and that ProjectC was one of its toolsets.\r\nOne of the key findings of our 2018 report on Operation AppleJeus was the ability of the Lazarus group to target\r\nMac OS. Since then, Lazarus has expanded its operations for this platform. This year, we discovered a new\r\noperation, active for at least a year, which utilizes PowerShell to control Windows systems and Mac OS malware\r\nto target Apple customers. Lazarus also targeted a mobile gaming company in South Korea that we believe was\r\naimed at stealing application source code. It’s clear that Lazarus keeps updating its tools very quickly.\r\nIn Q3, we tracked new activity by BlueNoroff, a sub-group of Lazarus. In particular, we identified a bank in\r\nMyanmar that this threat actor compromised. We promptly contacted the bank, to share the IoCs we had found.\r\nOur collaboration allowed us to obtain valuable information on how the attackers move laterally to access high-value hosts, such as those owned by the bank’s system engineers interacting with SWIFT. They use a public login\r\ncredential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new\r\nmalware with an uncommon structure, probably to slow down analysis. Depending on the command line\r\nparameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the\r\ngroup runs this tool in different modes depending on the situation. Moreover, we found another type of\r\nPowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar\r\nfunctionality to those used previously, but BlueNoroff keeps changing it to evade detection.\r\nAndariel, another sub-group of Lazarus, has traditionally focused on geo-political espionage and financial\r\nintelligence in South Korea. We observed new efforts by this actor to build a new C2 infrastructure targeting\r\nvulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the\r\nattackers implanted malware signed with a legitimate signature belonging to a South Korean security software\r\nvendor. The malware is a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper\r\nwith complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis\r\ndifficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this\r\nmalware allowed us to find several related samples, as well as documents used by the attackers to distribute it,\r\nproviding us with a better understanding of the campaign.\r\nIn October, we reported a campaign that began when we stumbled upon a sample that uses interesting decoy\r\ndocuments and images containing a contact list of North Korean overseas residents. Almost all of the decoys\r\ncontain content regarding the national holiday of the Korean Peninsula and the national day of North Korea. The\r\nlure content was also related to diplomatic issues or business relationships. Alongside the additional data from our\r\ntelemetry, we believe that this campaign is aimed at targets with a relationship with North Korea, such as business\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 5 of 9\n\npeople, diplomatic entities and human rights organizations. The actor behind this campaign used high-profile\r\nspear phishing and multi-stage infection in order to implant tailored Ghost RAT malware that can fully control the\r\nvictim. We believe that the threat actor behind this campaign, which has been ongoing for more than three years,\r\nspeaks Korean; and we believe that the DarkHotel APT group is behind it.\r\nThe Lamberts is a family of sophisticated attack tools used by one or multiple threat actors. The arsenal includes\r\nnetwork-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out\r\ndestructive attacks. We created a colour scheme to distinguish the various tools and implants used against different\r\nvictims around the world. More information about the Lamberts arsenal is available in our ‘Unraveling the\r\nLamberts Toolkit’ report, available to our APT Intel customers. This year, we added several new colours to the\r\nLamberts palette. The Silver Lambert, which appears to be the successor of Gray Lambert, is a full-fledged\r\nbackdoor, implementing some specific NOBUS and OPSEC concepts such as protection from C2 sink-holing by\r\nchecking the server SSL certificate hash, self-uninstall for orphaned instances (i.e. where the C2 is unavailable)\r\nand low level file-wiping functionality. We observed victims of Silver Lambert in China, in the Aeronautics sector.\r\nViolet Lambert, a modular backdoor that appears to have been developed and deployed in 2018, is designed to run\r\non various versions of Windows – including Windows XP, as well as Vista and later versions of Windows. We\r\nobserved victims of Violet Lambert in the Middle East. We also found other new Lamberts implants on computers\r\nbelonging to a critical infrastructure victim in the Middle East. The first two we dubbed Cyan Lambert (including\r\nLight and Pro versions). The third, which we called Magenta Lambert, reuses older Lamberts code and has\r\nmultiple similarities with the Green, Black and White Lamberts. This malware listens on the network, waiting for\r\na magic ping, and then executes a very well-hidden payload that we have been unable to decrypt. All the infected\r\ncomputers went offline shortly after our discovery.\r\nEarly in the year, we monitored a campaign by the LuckyMouse threat actor that had been targeting Vietnamese\r\ngovernment and diplomatic entities abroad since at least April 2018. We believe that this activity, which we call\r\nSpoiledLegacy, is the successor to the IronTiger campaign because of the similar tools and techniques it uses. The\r\nSpoiledLegacy operators use penetration-testing frameworks such as Cobalt Strike and Metasploit. While we\r\nbelieve that they exploit network service vulnerabilities as their main initial infection vector, we have also\r\nobserved executables prepared for use in spear-phishing messages containing decoy documents, showing the\r\noperator’s flexibility. Besides pen-testing frameworks, the operators use the NetBot downloader and Earthworm\r\nSOCKS tunneler. The attackers also include HTran TCP proxy source code into the malware, to redirect traffic.\r\nSome NetBot configuration data contains LAN IPs, indicating that it downloads the next stage from another\r\ninfected host in the local network. Based on our telemetry, we believe that internal database servers are among the\r\ntargets, as in a previous LuckyMouse Mongolian campaign. As the last stage, the attackers use different in-memory 32- and 64-bit Trojans injected into system process memory. Interestingly, all the tools in the infection\r\nchain dynamically obfuscate Win32 API calls using leaked HackingTeam code. From the start of 2019, we\r\nobserved a spike in LuckyMouse activity, both in Central Asia and in the Middle East. For these new campaigns,\r\nthe attackers seem to focus on telecommunications operators, universities and governments. The infection vectors\r\nare direct compromise, spear phishing and, possibly, watering holes. Despite different open-source publications\r\ndiscussing this actor’s TTPs during the last year, LuckyMouse hasn’t changed any of them. The threat actor still\r\nrelies on its own tools to get a foothold in the victim’s network, which in the new campaigns consists of using\r\nHTTPBrowser as a first stager, followed by the Soldier Trojan as a second stage implant. The group made a\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 6 of 9\n\nchange to its infrastructure, as it seems to rely uniquely on IPv4 addresses instead of domain names for its C2s,\r\nwhich we see as an attempt to limit correlation.\r\nThe HoneyMyte APT has been active for several years. The group has adopted different techniques to perform its\r\nattacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and\r\nBangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium,\r\nNepal, Australia and Singapore. This year, the group has targeted government organizations related to natural\r\nresource management in Myanmar and a major continental African organization, suggesting that one of the main\r\nmotivations of HoneyMyte is gathering geopolitical and economic intelligence. While the group targeted a\r\nmilitary organization in Bangladesh, it’s possible that the individual targets were related to geo-political activity in\r\nthe region.\r\nThe Icefog threat actor, which we have been tracking since 2011, has consistently targeted government\r\ninstitutions, military contractors, maritime and shipbuilding organizations, telecom operators, satellite operators,\r\nindustrial and high technology companies, and mass media located mainly in Korea, Japan and Central Asia.\r\nFollowing our original report on Icefog in 2013, the group’s operational tempo slowed and we detected a very low\r\nnumber of active infections. We observed a slight increase in 2016; then, beginning in 2018, Icefog began\r\nconducting large waves of attacks against government institutions and military contractors in Central Asia, which\r\nare strategically important to China’s Belt and Road Initiative. In the latest wave of attacks, the infection began\r\nwith a spear-phishing email containing a malicious document that exploits a known vulnerability and ultimately\r\ndeploys a payload. From 2018 to the beginning of 2019, the final payload was the typical Icefog backdoor. Since\r\nMay 2019, the actors appear to have switched and are now using Poison Ivy as their main backdoor. The Poison\r\nIvy payload is dropped as a malicious DLL and is loaded using a signed legitimate program, using a technique\r\ncalled load order hijacking. This technique is very common with many actors and it was also used in previous\r\nIcefog campaigns. During our investigation, we were also able to detect artefacts used in the actor’s lateral\r\nmovement. We observed the use of a public TCP scanner downloaded from GitHub, a Mimikatz variant to dump\r\ncredentials from system memory, a customized keylogger to steal sensitive information, and a newer version of\r\nanother backdoor named Quarian. The Quarian backdoor was used to create tunnels inside the victim\r\ninfrastructure in an attempt to avoid network detections. The functionality of Quarian includes the ability to\r\nmanipulate the remote file system, get information about the victim, steal saved passwords, download or upload\r\narbitrary files, create tunnels using port forwarding, execute arbitrary commands, and start a reverse shell.\r\nEvolution of the ‘newcomers’\r\nWe first discussed ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia,\r\nin a private report in January 2018. Related activities date back to more than a decade ago, with similar code\r\nmaintaining compilation timestamps from 2004. Since then, ShaggyPanther activity has been detected in several\r\nmore locations: most recently in Indonesia in July, and – somewhat surprisingly – in Syria in March. The newer\r\n2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings.\r\nSince our original release, we have identified an initial server-side infection vector from this actor, using\r\nSinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors.\r\nSinoChopper not only performs host identification and backdoor delivery but also email archive theft and\r\nadditional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 7 of 9\n\nof cases and obtained information about their staged install process. In 2019, we observed ShaggyPanther\r\ntargeting Windows servers.\r\nIn April, we published our report on TajMahal, a previously unknown APT framework that has been active for the\r\nlast five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators,\r\nC2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key\r\nstealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored\r\nin its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset.\r\nThe malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when\r\nthey become available again, and much more. There are two different packages, self-named Tokyo and Yokohama\r\nand the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage\r\ninfection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in\r\nplace for backup purposes. Our telemetry revealed just a single victim, a diplomatic body from a country in\r\nCentral Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other\r\nvictims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in\r\nthe VFS was used by the malware, opening the door to the possibility of additional versions of the malware that\r\nhave yet to be detected.\r\nIn February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in\r\nWindows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we had\r\ndiscovered in the preceding months. Further analysis led us to uncover a zero-day vulnerability in win32k.sys.\r\nMicrosoft patched this vulnerability, CVE-2019-0797, on March 12, crediting Kaspersky researchers Vasiliy\r\nBerdnikov and Boris Larin with the discovery. We think that several threat actors, including FruityArmor and\r\nSandCat, used this exploit. FruityArmor had used zero-days before, while SandCat is a new APT actor that we\r\ndiscovered not long before. Interestingly, FrutiyArmor and SandCat seem to follow parallel paths, both having the\r\nsame exploits available at the same time. This seems to point to a third party providing both groups with such\r\nartefacts.\r\nDuring February 2019, we observed a highly targeted attack in the southern part of Russia using a previously\r\nunknown malware that we call Cloudmid. This spy program spread via email and masqueraded as the VPN client\r\nof a well-known Russian security company that, among other things, provides solutions to protect networks. So\r\nfar, we have been unable to relate this activity to any known actor. The malware itself is a simplistic document\r\nstealer. However, given its victimology and the targeted nature of the attack, we considered it relevant enough to\r\nmonitor, even though we were unable to attribute this set of activities to any known actor. The low OPSEC and\r\nsimplistic malware involved in this operation does not seem to point to an advanced threat actor.\r\nIn February, we identified a campaign targeting military organizations in India that we were unable to attribute to\r\nany known threat actor. The attackers rely on watering holes and spear phishing to infect their victims.\r\nSpecifically, they were able to compromise the Centre for Land Warfare Studies (CLAWS) website, using it to\r\nhost a malicious document used to distribute a variant of the Netwire RAT. We also found evidence of a\r\ncompromised welfare club for military personnel distributing the same malware during the same period.\r\nIn Q3, we observed a campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware\r\nwas first used in the wild in January 2019 and subsequently underwent constant development. We have only seen\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 8 of 9\n\nthis malware used in a small number of active campaigns since January, all targeting government, military and\r\ndiplomatic entities in the Southeast Asia region. The latest campaign, conducted in August, seems to have targeted\r\nonly a select few individuals working for a military organization.\r\nPrivacy matters\r\nOn January 17, security researcher Troy Hunt reported a leak of more than 773 million email and 21 million\r\nunique password records. The data, dubbed Collection #1, were originally shared on the popular cloud service\r\nMEGA. Collection #1 is just a small part of a bigger leak of about 1 TB of data, split into seven parts and\r\ndistributed through a data-trading forum. The full package is a collection of credentials leaked from different\r\nsources during the past few years, the most recent being from 2017, so we were unable to identify any more recent\r\ndata in this ‘new’ leak. It turned out that Collection #1 was just part of a larger dump of leaked credentials\r\ncomprising 2.2 billion stolen account records. The new data dump, dubbed Collection #2-5, was discovered by\r\nresearchers at the Hasso Plattner Institute in Potsdam.\r\nIn February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, were\r\nput up for sale on Dream Market, accessible via the Tor network. The hacked companies include Dubsmash,\r\nMyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies\r\nwas posted to the same market place. Then in March, the hacker behind the earlier data dumps posted stolen data\r\nfrom a further six companies.\r\nStolen credentials, along with other personal information harvested from data leaks, is valuable not only to\r\ncybercriminals but also to targeted attackers, including those wishing to track the activities of dissidents and\r\nactivists in various parts of the world.\r\nWe’ve become used to a steady stream of reports in the news about leaks of email addresses and passwords. The\r\ntheft of such ‘traditional’ forms of authentication is bad enough, but the effects of using alternative methods of\r\nauthentication can be much more serious. In August, two Israeli researchers discovered fingerprints, facial\r\nrecognition data and other personal information from the Suprema Biostar 2 biometric access control system in a\r\npublicly accessible database. The exposure of biometric data is of particular concern. A compromised password\r\ncan be changed, but a biometric characteristic is for life.\r\nMoreover, the more widespread use of smart devices in new areas of our lives opens up a bigger pool of data for\r\nattackers. Consider, for example, the potential impact of smart speakers for listening in on unguarded\r\nconversations in the home. Social media giants are sitting on a growing pile of personal information – information\r\nthat would prove very valuable to criminals and APT threat actors alike.\r\nFinal thoughts\r\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting\r\nfindings, but if you want to know more, please reach out to us at intelreports@kaspersky.com\r\nSource: https://securelist.com/ksb-2019-review-of-the-year/95394/\r\nhttps://securelist.com/ksb-2019-review-of-the-year/95394/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/ksb-2019-review-of-the-year/95394/" ], "report_names": [ "95394" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9443573a-7ebc-4fd3-869f-b9c820c152d8", "created_at": "2022-10-25T16:07:24.175377Z", "updated_at": "2026-04-10T02:00:04.889801Z", "deleted_at": null, "main_name": "ShaggyPanther", "aliases": [], "source_name": "ETDA:ShaggyPanther", "tools": [ "CHINACHOPPER", "China Chopper", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d", "created_at": "2023-01-06T13:46:38.931567Z", "updated_at": "2026-04-10T02:00:03.149736Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "MISPGALAXY:SandCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "dcf74886-fda8-4268-905a-3515ead0ab42", "created_at": "2024-02-06T02:00:04.127333Z", "updated_at": "2026-04-10T02:00:03.574562Z", "deleted_at": null, "main_name": "ShaggyPanther", "aliases": [], "source_name": "MISPGALAXY:ShaggyPanther", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d", "created_at": "2022-10-25T16:07:24.149987Z", "updated_at": "2026-04-10T02:00:04.882099Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "ETDA:SandCat", "tools": [ "CHAINSHOT", "FinFisher", "FinFisher RAT", "FinSpy" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "59ce37c7-ce10-4cc3-ab27-c784a8a0898a", "created_at": "2022-10-25T16:07:23.534403Z", "updated_at": "2026-04-10T02:00:04.645423Z", "deleted_at": null, "main_name": "DarkUniverse", "aliases": [], "source_name": "ETDA:DarkUniverse", "tools": [ "dfrgntfs5.sqt", "glue30.dll", "msvcrt58.sqt", "updater.mod", "zl4vq.sqt" ], "source_id": "ETDA", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434221, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7e6a307da38b5f94868a82a66042be33992c7f5.pdf", "text": "https://archive.orkl.eu/e7e6a307da38b5f94868a82a66042be33992c7f5.txt", "img": "https://archive.orkl.eu/e7e6a307da38b5f94868a82a66042be33992c7f5.jpg" } }